Despite increasingly pervasive use of complex passwords and cryptographic authentication and encryption measures, both enterprises and individuals continue to be at significant risk for information theft and computer fraud. A contributing factor to this fraud is the fact that in many transactions, the parties to the transaction are typically not personally known to one another and one party or both parties rely on presentation of a federated credential to infer identity (e.g., a recipient presumes that a party presenting a credential such as, a credit card number, driver's license number, social security number, account name or number, company name, etc., is in fact authorized to use that credential).
For example, in a typical purchase scenario, a first party presents a credit card to a second party, and the second party then decides whether it can trust that the first party really owns that credit card; the second party in this example sometimes requires added security measures in the form of one or more authentication checks (e.g., by requesting that one presenting a credit card also further the card owner's statement address zip code, card verification value or “CCV,” or other information), and it then electronically verifies provided values and presumes that the first party is authorized to use the credential if each requested secondary authentication value is correctly presented.
Despite these measures, the risk of fraud is still present, and a number of attacks can be mounted in such a system, including attempts to hack the electronic systems of the various parties, attempts to eavesdrop and/or replay information submission, and in other manners. Once the credential and any associated authentication secret is discovered, a thief can potentially commit fraud for a period of time until the fraud is discovered and the credential revoked, often through painstaking procedures.
What are needed are techniques for independently authenticating a party presenting a credential or secret information where that information will be received, stored or used in an electronic setting. The present invention addresses these needs and provides further, related advantages.
The subject matter defined by the enumerated claims may be better understood by referring to the following detailed description, which should be read in conjunction with the accompanying drawings. This description of one or more particular embodiments, set out below to enable one to build and use various implementations of the technology set forth by the claims, is not intended to limit the enumerated claims, but to exemplify their application. Without limiting the foregoing, this disclosure provides several different examples of techniques used to communicate keys, credentials and various other types of information. The various techniques can be embodied as software, in the form of a computer, device, service, cloud service, system or other device or apparatus, in the form of data encrypted as a result of these techniques, or in another manner. While specific examples are presented, the principles described herein may also be applied to other methods, devices and systems as well.
This disclosure provides devices, methods, systems and components of these things for addressing the aforementioned problems through the use of loop-based authentication flow. A client seeking to securely communicate with another entity transmits an avatar to that other entity. This “avatar” comprises information that, on its own, cannot be used by the other entity, but once remotely decoded according to the principles herein, serves to provide the information and/or authentication of the client via a trusted, secure network. As will be further described below, this avatar can be used for key exchange, transmission and authentication of federated credentials, and to convey private information in a manner decipherable by only the intended recipient. These techniques address the problems alluded to above, because these techniques provide means for (a) authenticating a party presenting a federated credential as a true owner of that credential, thereby reducing the potential for credit card fraud and other types of fraud, and (b) providing for decryption of encrypted information in a manner resilient to eavesdropping or “man-in-the-middle” attacks. As should therefore be apparent, these techniques provide a more secure mechanism for online communication and for effectuating electronic transactions.
More particularly, a secure network is first constructed where every node in the network is connected to a neighbor node by use of a symmetric key encryption and/or authentication system. When a first entity (e.g., “Bob”) desires to communicate directly with a second entity (e.g., “Acme”), the first entity sends an avatar to the second entity; note that in many instances, this transmission is via untrusted means (for example, via Bluetooth connection or via the Internet). The avatar is at least partially encrypted by Bob's machine using the symmetric key that machine uses for its connection to the secure network; Acme cannot decrypt this avatar on its own, because Acme does not have access to that key. However, because every connection in the secure network is trusted, and because Acme is also a part of this secure network, Acme can route the avatar through the secure network to Bob's domain server for the secure network, which can then decrypt that avatar using the shared key originally used to encrypt the avatar; the secure network then securely returns this information back to Acme using node-to-node encryption using the shared (different) keys used to secure each “hop” of the secure network. Acme is able to decrypt the information sent to it by its domain server using the shared secret key it shares with that server. Acme can then process the information, or provide related services.
Several different use models are supported by this architecture. First, this architecture can be used to create a special key known only to Bob and Acme; this key, referred to as a private session key (or “PSK”), is generated in a manner where neither the secure network nor an eavesdropper can feasibly intercept or derive this key. Second, this architecture can be used to securely share private information using the PSK, in a manner where only the second entity (e.g., Acme) can decrypt the information. Third, this architecture can be used in a manner that permits sharing of a federated credential, in a manner where the federated credential is securely communicated and is also authenticated by a trusted third party, who can determine if the federated credential is being presented by someone other than its owner (e.g., Bob) or is otherwise being used in an unauthorized or atypical manner.
Each of these use models will be discussed in detail below. It should first be noted that whichever model(s) is(are) used, the techniques described herein can be embodied in a number of manners. First, these techniques can be embodied as a method, device, collection of devices, software or a combination of these things practiced by a first entity (e.g., Bob); for example the techniques presented herein can be embodied as a software application for installation on Bob's smart phone, where that software application will cause Bob's smart phone to interact with a secure network, and also to communicate information with (e.g., send avatars to or receive information from) a second entity (e.g., Acme). Second, these techniques can be embodied as a method, device, collection of devices, software or a combination of these things practiced by a second entity (e.g., Acme); for example, the techniques presented herein can be embodied as a software application for installation on a computerized point-of-sale terminal or server (e.g., a computer) of Acme, where that software application will cause Acme's computer to communicate information with (e.g., receive avatars from or send information to) a first entity (such as Bob), to forward avatars to a secure network and to receive returns of information from the secure network responsive to those forwarded avatars. Third, the described techniques can also be embodied in the form of a node (e.g., a server) in the secure network (or software for controlling such a node), for example, that receives avatars from a first source (e.g., Acme), and forwards those avatars through the secure network for decoding at a remote destination and that subsequently forwards returns of information back to the first source (e.g., using shared keys on a node-to-node basis). Fourth, the described techniques can be embodied at a connection point for the secure network, for example, as software used to control the domain server (e.g., network node) that connects Bob to the network; such a node as mentioned shares a secret key with Bob and shares a secret key with at least one other destination on the network, and it receives routed, forwarded avatars (e.g., received by Acme from Bob and routed through the secure network), decodes those avatars, and then sends return transmissions to Acme. Fifth, these techniques can also be embodied in the form of a trusted third party such as referenced above. Such a party maintains a registry associated with secure credentials (e.g., Bob's credentials) that can be used to detect unauthorized use. For example, if an attempt is made to forward one of Bob's credentials through the secure network, but the credential is routed to or from an unknown device (not previously associated with Bob) or is not routed using a unique identifier for Bob (such as Bob's email address), this trusted third party can take various actions such as blocking the communication, notifying Bob, Acme, police or others, requiring additional security measures, delaying communications, asking Bob to enroll a new device or, potentially, other types of actions. The techniques presented herein can be embodied as a collection of devices, a system, or in another form.
The specific use models cited above will now be further introduced. It should be assumed that Bob wishes to provide information in a manner that will use a secure network for purposes of both delivery and authentication; it could be that Bob uses his device to visit a web site or physical site, and he wishes to exchange information with that site (e.g., to make a purchase, submit an application, verify Bob's identity, or for some other purpose). It is assumed for purposes of discussion that this web site or physical site is at least partially manifested as a machine (e.g., a computer, acting as a destination device) and that Bob will directly interact with the site via untrusted means; the untrusted means can be via people (e.g., untrusted employees at the physical site, over the open Internet, via local area communication such as Bluetooth or unsecured wireless, etc.). The destination device or its owner informs Bob that Bob should join the secure network in order to present this information; Bob then visits the secure network on his own, is redirected to the secure network by Acme, or Acme has the secure network contact Bob in order to add Bob's device to the network. In one embodiment, Bob provides his email address to Acme, which then submits this email address to the secure network, and the secure network arranges with Bob to register Bob's device on the network. In another embodiment, Acme provides Bob with a web link (e.g., based on a 2-D bar code) and Bob is directed to a registration page with the secure network. It is also possible for Bob to already be a member of the secure network and for Bob to prompt Acme to join the secure network, in the manner just described. Whichever route is used, if Bob and Acme are not already members of the secure network, Bob and Acme enroll in the secure network which provides processes for (a) assigning or selecting a unique ID for Bob or Acme (e.g., an email address or other identifier), (b) pairing a specific device of Bob or Acme with a domain that forms a connection to the secure network (i.e., using a shared (i.e., symmetric) secret key, set up via private-public key techniques, to thereby set up a trusted connection), and (c) optionally registering Bob and/or Acme in a manner where each device enrolled by that party and that party's unique ID are registered in explicit association with one or more federated credentials, such as credit cards, account numbers, state or federal IDs, social security numbers, taxpayer IDs, redress numbers, and so forth. As used herein, a “federated credential” is a piece of information that a first entity will share with a second entity where the piece of information will serve as a status, representation or authorization on behalf of the first party. Note that, depending on the type of credential, the piece of information does not always need to be uniquely associated with a single individual; for example, the information “Vice-President of Acme” if authenticated can be used to denote that a particular individual has authority to bind Acme to a contract or representation, and there may be multiple such individuals who have the same credential and associated authority. The same can be true of (in some instances) a company credit card, a credit card shared by husband and wife, and so forth. Other types of credentials, such as social security number, will be uniquely associated with a single individual.
Note that the secure network is typically established and managed in such a manner where every entity is known to every other entity via a chain of trusted connections or hops, each predicated on the use of a shared secret key as described above (used to encrypt communications between two nodes in the secure network). Thus, Bob is known to a connection node to the secure network because each enrolled device of Bob has a unique shared key that (barring compromise) is only used for communication between Bob and this connection node. The connection node examines headers used for communications to/from Bob and verifies that Bob's enrolled device is indeed the destination/source of associated communications. In turn, that connection node connects to a second node of the network and uses a shared secret key to encrypt all communications in a manner unique to this trusted connection (i.e., to connect this pair of nodes); the connection node can only decrypt communications from the second node using this (second) shared secret key, the second node can only decrypt communications from Bob's connection node using this (second) shared secret key, and this (second) shared secret key is not used for communications with any other device or network connection. Similarly, this second node examines headers used for communications and verifies that Bob's connection node was indeed the source of communications decrypted using this (second) shared secret key; in one embodiment, each node of the secure network is provided with an updated full map of the secure network, such that verification can be performed from end-device origin and destination information. These processes can be extended to any number of nodes of the secure network, i.e., such that absolute confidence can be placed at any node in the secure network that communications purporting to be from Bob in fact originated from Bob, because every relay of this information (i.e., every “hop”) within the secure network is effectively trusted. The same is true for each machine Acme couples to the network, i.e., each is enrolled in the network and uses a shared secret key to communication with its domain.
For the first use model alluded to above, it is assumed that a first entity (e.g., “Bob”) wishes to generate a private session key (“PSK”) that will be shared with a second entity (e.g., “Acme”). It is assumed for purposes of this discussion that Bob and Acme are already members of a secure network such as described above, i.e., while Bob and Acme can communicate with each other through an untrusted connection (e.g., as exemplified above), Bob and Acme are also linked by a chain of trusted connections through the secure network with each link or hop in the chain predicated on a shared, secret, symmetric key unique to that connection pair. Note in connection with the discussion below that various references will be made to “Diffie-Hellman key exchange” (and feature use of the well-known logarithmic scripts A, B, GA, GB and GAB); however, it should be understood that despite the use of these scripts, any conventional secret key exchange methodology can be used (e.g., predicated on elliptic-curve cryptographic techniques).
In this example, in connection with Bob's electronic communication with Acme (e.g., direct, or through an unknown, potentially untrustworthy or insecure source such as the Internet), software on Bob's device generates a piece of secret information known only to Bob. This secret information is optionally based on the shared secret key that Bob uses for communications with his domain; for example, in one embodiment, the secret information (“A”) can be generated by software on Bob's device by combining a randomizing element such as a time stamp, nonce or other information, with the shared secret key on Bob's device (“keyBob”). The software then uses a generator function “G” to generate GA (it is again noted that this notation for logarithmic generation, used in connection with Diffie-Hellman key exchange, is exemplary only, i.e., in another embodiment, Bob uses a different means, such as a different cryptographic key, to generate this piece of secret information). The term GA refers to a function where it is difficult to derive A from the GA; for example, with traditional Diffie-Hellman key exchange, GA refers to an exponent of a generator (such the number “5”) taken in finite space to compute a remainder. The mathematics associated with this type of encryption (and other equivalent encryption methodologies are well-known). Bob's device takes this information (GA), and then further encrypts it using the secret shared key used by Bob's device to communicate with Bob's domain. Bob's device provides this encrypted “avatar” to Acme together with header information that indicates that Bob is the source of the message, that the message is to be routed to the secure network for authentication/decoding, and that the message is of a type sent to exchange a PSK; other information such as a description of the generator function, a time stamp, session ID, web form field ID, etc., can also be included as part of these headers. Since Acme is not privy to keyBob, Acme cannot decrypt the avatar, but since Acme is privy to the header information, Acme understands that (1) a PSK is to be generated, (2) Acme is instructed forward the avatar to the secure network, and (3) Acme is to generate its own secret information “B” (e.g., using a randomizer and the shared secret key it uses for its trusted connection to the network, keyAcme) and use the same generator function “G” to generate GB, and then attach GB to the avatar. This payload information (e.g., the avatar from Bob's device and GB) is then encrypted using the shared secret key of Acme's device and sent to Acme's domain for forwarding into the secure network and eventual routing to Bob's domain.
Reflecting on these principles, note that Acme receives encrypted information from another entity (Bob) via a first network path and that, instead of interacting directly with Bob directly to decrypt that information via the first network path, Acme instead further encrypts this information and sends it to Bob's domain via a second network path (i.e., via the secure network). That is, Acme receives message1, generates GB, adds headers as appropriate indicating that the message is being forwarded by Acme, encrypts message1 using the key that Acme shares with its domain (i.e., keyAcme) and then forwards a second message to the secure network where that second message encrypts the first massage (i.e., message2=fn{message1}, GB, keyAcme).
When it receives this payload, Acme's domain, in turn, partially decrypts this message back to message1 and GB (i.e., using the shared key it shares with Acme's device) and it also verifies from inspected headers that this information is to be forwarded through the secure network to Bob's connection node. As with Acme's device, the domain for that device similarly cannot decrypt message1 to directly recover GA. Acme's connection node then re-encrypts message1 and GB using a shared secret key for the next hop (e.g., keyAcme's_connection_node) and it relays this encrypted message to the next hop (e.g., message3=fn{message1}, keyAcme's_connection_node, GB). This process continues, using the provided header information to obtain routing guidance, until the payload arrives at Bob's domain. Software on that domain is informed that the message is for PSK generation and originates from Bob or Bob's device, and so it (a) encrypts GB using keyBob, which it then forwards to Bob's device, and (b) it decrypts GA using KeyBob, which it then forwards back to Acme's device. Eventually, GA is delivered to Acme's device, encrypted by the shared secret key that device uses to connect to the secure network (e.g., messagen=fn{keyAcme, GA}), which Acme can decrypt.
Note that there can be potentially many hops connecting Bob and Acme. To cite one example, if Acme's device is an electronic cash register, such a cash register can receive an avatar from Bob and forward that to its domain (e.g., a server for Acme's store). The next node connection could be for example a central data center for Acme—the electronic cash register shares a secret symmetric key with the secure server for the store, and the secure server for the store shares a secret symmetric key with the data center, and so forth. The number of hops or nodes traversed can be many or few, and connection paths can be unique or redundant. Instead of an electronic cash register and point-of-sale (“POS”) environment, similar examples can also be used where different nodes represent tiers within a company's Intranet, different sites or regions, a university, the Federal Government, and so forth. It is also possible to have a single node connecting Bob and Acme (e.g., a single secure service coupling both entities, such that only two hops are used). Many connection methodologies will occur to those having ordinary skill in the art
As should be apparent from the foregoing, Bob possesses A and GB and can therefore compute GAB; similarly, Acme possesses B and GA and can compute GBA. The characteristics of these values are that GBA=GBA, but GAB and GBA cannot feasibly be reverse engineered from GB and GA. Thus, the result is that GBA is known only to Bob and Acme. In one embodiment, GBA is used as a PSK. However, that depending on the encryption methodologies used for the particular embodiment, it may be desired to use GBA to effectuate a more complex key exchange. For example, if GBA is derived from Bob's and Acme's secure network keys and features a relatively low degree of entropy relative to any “randomizer” information, it might be desired to add additional encryption layers to further remove the PSK from the shared network keys; in one embodiment, therefore GBA can be used to encrypt the PSK and exchange the encrypted PSK between Bob and Acme. As will be discussed below, this additional step of removing PSK selection from GBA also facilitates logging of information exchanges, by Acme or others, for non-repudiation purposes (e.g., it renders it more unlikely that the shared secret key or the secret information selected by Bob's device or Acme's device can be discovered from logged information representing transactions). Additionally, this structure also provides for perfect-forward-secrecy, in that in the unlikely event of a network breach, as the PSK would then be independent of any potentially breached keys. Note also that there are many methodologies by which exchange of a selected PSK can be performed; for example, in one implementation, when and as Bob's device is provided with GB by its connection domain, it immediately computes GBA, selects a PSK, and encrypts the PSK using GBA. Bob's device then immediately transmits the encrypted PSK to Bob's domain (which then “piggy-backs” this information on information returned to Acme through the secure network); for example, as will be discussed below, decrypted GA can be transmitted to Acme via the secure network as a first packet, and the encrypted PSK can follow “on its heels” as a second packet.
The PSK can be used for a number of different purposes. For example, in one embodiment, it can be used to encrypt communications transmitted directly between Bob and Acme over an unsecured medium. In a different embodiment, however, one that will be discussed below, the PSK can be used to “doubly-avatarize” private information transmitted through the secure network such that even when the loop-based authentication flow described above is used, that this private information cannot be decoded even by nodes within the secure network.
The transmission of private information in a manner undecipherable by the secure network can be accomplished using principles already discussed and a shared PSK. The PSK is optionally exchanged using the techniques just discussed. To perform the exchange of private information, software on Bob's device takes a particular piece of private information and encrypts it using the PSK. There are many examples of private information that can be exchanged, but in one embodiment, this private information can be information used by a merchant as a secondary authentication value for a credit card or other federated credential, for example, a card check value (“CCV”), a card holder's street address, phone number or zip code, a password, or other information. Once the private information has been encrypted using the PSK, Bob's device then encrypts it a second time, this time using Bob's shared secret key, keyBob (which it will be recalled from the example above is known only to Bob's device and Bob's domain). Bob's device transmits this doubly-avatarized information to Acme with headers, in much the same manner as represented above (note that the headers in this case will indicate that this exchange represents private information). Note that in an alternate embodiment, software on Acme's machines (and/or the machine for Bob's domain) can be coded so as to automatically detect whether the information is singly-avatarized or doubly-avatarized (or processed with even further layers or rounds of encryption), and to process that information accordingly without the need for the property to be explicitly designated in the headers. More specifically, encryption can optionally be configured, according to the teachings herein, to generate ciphers that even upon most rigorous cryptographic inspection do not reveal how many layers of encryption were applied to the plaintext. As such, it is plausible to use multiple PSKs or other encryption parameters, e.g., as PSK1, PSK2, . . . , PSKn, to successively multi-layer avatarize the payload, as dictated by the level of desired security and privacy. The number of layers or rounds can be specified, if desired, by software parameter. Acme cannot decrypt this message since it does not have access to keyBob, so it once again further encrypts this payload (message2=fn{message1}, keyAcme) to effectively encrypt it a third time. This message can be decrypted by network nodes back to the doubly-avatarized, first message transferred from Bob to Acme, and this payload is then encrypted again for forwarding to the ensuing network node. Once again, this message is routed through the secure network to Bob's domain, which uses keyBob to partially decrypt the message to obtain singly-avatarized information (i.e., encrypted using the PSK); since, however, Bob's secure network connection point does not possess the PSK, neither this node or any other node in the secure network (other than Acme) can fully decode the private information. Then, in much the same manner as a decoded GA was decoded and transmitted back to Acme in connection with the first use model described above, pursuant to this second use model, this information is transmitted back to Acme where it can be decoded (this time using both keyAcme and the PSK in successive processes) and applied as desired used by Acme. For example, if used in connection with a secure credit card payment transaction, Acme can then optionally use conventional processes to approve a purchase or other transaction.
The third use model introduced above relates to the exchange of federated credentials. For example, the techniques described above can be used to exchange and validate a credit card number. Note that in one embodiment, a PSK is not used at all for this exchange. For example, if Bob wishes to share his a credit card “1234-567890-12345” with Acme's device, Bob's device encrypts this information using keyBob and sends this encrypted information as an avatar payload to Acme's device via an untrusted Internet or other network connection. Once again, suitable header information is included by Bob's device, in this case, indicating that the encrypted information represents a federated credential and is to be routed to Bob's domain for decoding. As before, for each hop in the chain of trust, a node in the secure network encrypts received payload information using a shared secret key specific to the hop and forwards the information on to the ensuing node; when the forwarded information reaches Bob's domain, the machine at that domain recognizes the message as corresponding to a federated credential and it decodes the credit card number using keyBob, e.g., back to “1234-567890-12345.” Bob's domain then returns this information (“1234-567890-12345”), encrypting it using its secure network shared key, e.g., messagen=fn{keyBob's_connection_node, “1234-567890-12345” }. The information is then decrypted, re-encrypted and forwarded for the next hop by the various nodes of the secure network. In this case, however, one of these nodes corresponds to a trusted third party with whom Bob has registered or has an account. In one embodiment, this trusted third party can be a provider of the secure network or a node used for all communications between the domains for Bob and Acme and, correspondingly, can perform the same functions as any other node (e.g., server) in the network; in another embodiment, the trusted third party can represent a node or hop specially used, only for validation of federated credentials. Depending on implementation, the trusted third party can be a credit card company, an Internet service provider (“ISP”) or search engine, or another services provider company such as Microsoft, Google, Yahoo, Lifelock or another company. As with the other nodes of the secure network, such a trusted third party decrypts information it receives to recover “1234-567890-12345,” and it uses header information to identify Bob's unique ID (e.g., email address, another identifier, or a random tag/number/string), credit card type (e.g., “AMEX”) and similar information. The trusted third party then runs software that performs integrity checks on this information, running exception processes as appropriate. For example, as indicated earlier, such a trusted third party can clear the credential (e.g., optionally adding an authentication stamp or hash if Bob is truly the owner, and then forwarding the message through the secure network toward Acme) or it can inform Bob that an unrecognized transaction has been detected and solicit Bob to register a new device or take other action; other examples are also possible.
As should be apparent from the foregoing description, the various techniques introduced above can be used to provide a myriad of capabilities and benefits for secure transaction processing. These techniques can be implemented in many different manners depending on application. As but one non-limiting example, these techniques can be implemented as plugin software for a web browser; the plugin software detects various fields being solicited by a web-form or transaction device, and the plugin software then automatically and/or transparently applies all three use modes, the first one to exchange a PSK in connection with a handshake process, the second one to exchange each field which is deemed to represent private information and the third one to exchange credentials information, automatically and transparently to the user (e.g., Bob). Should, for example, Bob be called on to fill in a residential loan application online (e.g., a form calling for Bob to list various federated credentials, such as outstanding credit cards, bank accounts and social security number, as well as private information such as phone number and home address), such a browser plugin automatically detects field type and automatically applies the appropriate use model depending on the type of field at issue, all transparently to the user. Clearly many examples are possible.
With various system elements thus introduced, this description will now proceed to describe the various figures (“FIGS.”) and provide additional detail concerning various specific embodiments. Generally speaking, any of the cited structures, operations, algorithms, features, use models, applications or operands (“elements”) can be mixed and matched, and included or omitted in any combination or permutation as desired or as pertinent to the particular application; that is to say, while several specific detailed examples are discussed herein, which feature specific combinations of certain elements, it is generally contemplated that inclusion of any these elements are optional relative to one another and can be combined in any manner suitable or appropriate to a specific design.
Note first that several terms used herein should be introduced. First, “circuitry” can refer to analog or digital electronic elements (e.g., dedicated logic gates), either arranged as special purpose circuitry that necessarily performs a certain function when electrically motivated, or as general purpose circuitry (e.g., a processor, FPGA or other configurable circuit) that is controlled or otherwise configured by instructions (software) so as to adapt that circuitry to perform a specific function and cause that circuitry to operate as though it was special purpose circuitry. In the case of software or other instructional logic, the instructions are typically written or designed in a manner that has certain structure (architectural features) such that, when those instructions are ultimately executed, they cause the one or more general purpose circuits or hardware devices to necessarily perform certain described tasks. “Logic” can refer to software logic (i.e., instructional logic) or hardware logic (e.g., a digital chip or board design) or a combination of these things. “Non-transitory machine-readable media” means any tangible (i.e., physical) storage medium, irrespective of how data on that medium is stored, including without limitation, random access memory, hard disk memory, optical memory, a floppy disk or CD, server storage, volatile memory, memory card and/or other tangible mechanisms where instructions may subsequently be retrieved by a machine. The machine-readable media can be in standalone form (e.g., a program disk, solid state memory card, whether bootable or executable or otherwise, or in other memory) or embodied as part of a larger mechanism, for example, a laptop computer, portable or mobile device, server, data center, “blade” device, subsystem, electronics “card,” storage device, network, or other set of one or more other forms of devices. The instructions can be implemented in different formats, for example, as metadata that when called is effective to invoke a certain action, as Java code or scripting, as code written in a specific programming language (e.g., as C++ code), as a processor-specific instruction set, or in some other form; the instructions can also be executed by the same processor or common circuits, or by different processors or circuits, depending on embodiment. For example, “instructions stored on non-transitory machine-readable media” typically refers to software stored on disk or in other physical memory or storage, where the software is structured such that when it is later (ultimately) installed or executed by an operator or end user, it configures a machine (e.g., one or more processors) so that they operate in a prescribed manner. In one implementation, instructions on non-transitory machine-readable media can be executed by a single computer or processor and, in other cases as stated, can be stored and/or executed on a distributed basis, e.g., using one or more servers, web clients, or application-specific devices, whether collocated or remote from each other. Each function mentioned in the disclosure or FIGS. can be implemented as part of a combined program or as a standalone software module (i.e., an invocable or callable program or subroutine), either stored together on a single media expression (e.g., single floppy disk) or on multiple, separate storage devices, or in the form of dedicated circuitry or circuitry combined with such software. Throughout this disclosure, various processes will be described, any of which can generally be implemented as instructional logic (e.g., as instructions stored on non-transitory machine-readable media), as hardware logic, or as a combination of these things, depending on embodiment or specific design. “Module” as used herein refers to a structure dedicated to a specific function; for example, a “first module” to perform a first specific function and a “second module” to perform a second specific function, when used in the context of instructions (e.g., computer code) refers to mutually-exclusive code sets. When used in the context of mechanical or electromechanical structures (e.g., an “encryption module,” it refers to a dedicated set of components which might include hardware and/or software); for example, an “encryption module” and a “network registration module” would refer to dedicated, mutually exclusive structural elements for performing these functions. In all cases, the term “module” is used to refer to a specific structure for performing a function or operation that would be understood by one of ordinary skill in the art to which the subject matter pertains as a conventional structure used in the specific art (e.g., a software module or hardware module), and not as a generic placeholder or “means” for “any structure whatsoever” (e.g., “a team of oxen”) for performing a recited function. “Electronic” when used to refer to a method of communication can also include audible, optical or other communication functions, e.g., in one embodiment, electronic transmission can encompass optical transmission of information (e.g., via an imaged, 2D bar code), which is digitized by a camera or sensor array, converted to an electronic digital signal, and then exchanged electronically.
More specifically, the federated root 203 in this embodiment is to perform not only verification for federated credentials (229), using a stored database 225, but also to manage state of the secure network (and build and updated network map 227), track reputation of certain sites/entities (230) and enroll new participants/network nodes and provide software to these sites as appropriate (231). Note that as the network is built, there can in this embodiment be many levels of separation from the hub 203 to end-user devices. For example, an end-user device of a particular user is represented at the left-side of the FIG. by numeral 204, and is listed at “level n.” There can be many different configurations and associated motivations for having multiple (i.e., “n”) levels; for example, the user could be an employee of a large, multinational company where the user's domain represents a company site (e.g., “US-Palo Alto, Calif.”) and represents software installed on a local company security network for managing various devices of the company's employee base. Many other examples are possible, including examples involving government, autonomous machines, private individuals, and so forth). In this case, the company site is represented by level n−1 (207), which is indicated to be the end-user's domain. In one embodiment, it is this domain, the closest node to the end-user, which will be used to decode avatars and return them through the network in accordance with the principles discussed earlier. As noted earlier, device 204 will have a shared symmetric key that allows it to establish private communications with its node 207 for connecting to the network; another end-user device, represented by numeral 206, will have its own shared symmetric key that allows it also to establish private communications with node 207, and node 207 manages these key sets (along with other functions described herein). [Note that this second end-user device could be another enrolled device belonging to the same user or potentially to another individual or entity, and that there may be many more than the depicted two end-user devices connected to this node 207.] Node 207 will connect with another domain above it (represented by ellipses 208) using a shared key specific to that relationship, and so on, up through node 209, node 211 and ultimately the hub 203; as was described earlier, generally speaking communications from end-user device 203 to node 207 are encrypted using the shared secret key of the end-user device 204, and the same is true for every other depicted hop, e.g., from level n−1 to level n−2, . . . level 3 to level 2, level 2 to level 1, and from level 1 to the hub 203, and so on. This is to say, each pairing of adjacent nodes is managed to have its own trusted relationships, as is represented by large ellipses 215 and 216, which pairwise encompass nodes, as seen in a middle network branch in the FIG.; only two such relationships are circled but it should be understood that in this embodiment, every node direct node connection pairing has a similar trusted relationship and shared symmetric key. As noted earlier, the depicted number of tiers (levels) in this FIG. (i.e., “n”) and the use of connection “branches” are used for example only, and there could be any number of nodes connected end-users/participants (e.g., connecting end-user device 204 with machine 205, seen at the right hand side of the FIG.), arranged as a “flattened” network, a complex “web,” or in another manner. In a typical communications example, it might be that the end-user device 204 is a smart phone of an individual (e.g., “Bob”) or another type of digital device, as mentioned. As depicted by numeral 217, Bob downloads transaction module software to each device bob wishes to enroll, e.g., from his connection node 207, from the hub 203, or from another source; this software, the can either be relied upon to identify a unique ID for Bob (e.g., Bob's email, or something else) or, preferably, this can be done as part of Bob's initial registration with the system (e.g., via a graphical user interface page presented by an installed app. on Bob's device, or a secure registration web page provided by the federated hub, Bob's domain (e.g., his company) or a provider of the secure network, for display on Bob's device). As also referenced by numeral 217, this software when downloaded and installed on Bob's device requires 2-factor or better authentication from Bob when he wishes to invoke the software (e.g., each time his device seeks to activate the transaction module to effect secure communications) to insulate use of Bob's secret shared key against device theft or compromise. One example of exercising high-security authentication upon every new launch of an application Bob, is to utilize hardware credentials carried by a “FIDO Alliance” certified security token device, with a predefined cycle/period of re-authentication. A software-only multi-factor launch authentication can also be effective, such as using a personal identification number (“PIN”) combined with a unique random-but-retrievable signature, such as a binary-file or a QR code (whether static or dynamically derived from another PIN), or by other means. The transaction module software (or another module, e.g., a key generation software module) establishes a unique cryptographic key on the newly-enrolled device; again, in one embodiment, this is a shared key that will be used to connect Bob securely to node 207. This shared key can be a relatively long, complex key (e.g., 2 k bits or longer in length) and is installed on Bob's device using a conventional key exchange/generation protocol (e.g., such as a Diffie-Hellman exchange, optionally predicated on use of a manufacturer-provided unique device hardware key). As noted by numerals 218 and 219, Bob's device can be any type of digital device (such as the depicted smart phone), running suitable application software (depicted using a floppy disk icon 219). This software is stored on non-transitory media, such as Bob's phone, a floppy disk, server storage, or in some other manner, and can be preinstalled or selectively downloaded to Bob's device 218 such that, when executed, it causes Bob's device to perform as a special purpose machine.
In one embodiment, in order to safeguard against the possibility of compromise of or misuse by any node in the trusted network, software for each of the source (e.g., Bob) and destination (e.g., Acme) can employ two secret-keys that are privately held and kept secret from the rest of the world, a) the private-key of a public-private key-pair, b) a private symmetrical-source key from which the shared symmetrical key is derived with a KDF (Key-Derivation-Function). These private keys can be used by the source/destination to refute any logged transactions in a future forensic review in case of a dispute. In other words, in the unlikely event of a breach (e.g., perpetrated by a Trojan-staff or a data-breach in the trusted network), the source/destination can present in privacy the double private keys in front of a review panel, to show that communications at-issue could not possibly have originated from that particular party. One advantage of such a process is that owning the ‘private-key’ of a public-private key-pair provides a generally accepted mechanism for non-repudiation.
Per the examples introduced earlier, it is assumed that Bob wishes to securely communicate via untrusted connection with another device 205 that is also part of the network or is added to the network. This device 205 is seen at the right side of the FIG. and is depicted to be a level 2 device, implying that it connects up through a level 1 (domain) 213 and then to the hub 203. Each of these node pairings is also configured as a secure trusted connection, meaning that the hub communicates with node 213 using a shared secret key, and that node 213 communicates with device 205 using a (different) shared secret key. Again, while the depicted configuration could represent many different implementations, an example will be used where device 205 is a transaction server or point of sale device of “Acme,” and where node 213 is perhaps a store server connected to many such devices (e.g., as represented by numeral 214). Each device (e.g., each transaction server or point of sale device, 205/214) will download a transaction module; this transaction module configures the device to respond to communications from Bob's device 204 by relaying avatars and other communications through the secure network, as has previously been described. Bob's device 204 could be attempting communication with device 205 through any untrusted connection, for example, an optical (e.g., 2-D scanned bar code from a display of Bob's device), via an Internet or Bluetooth connection, or in some other manner. Alternatively, it is also entirely plausible for Bob to establish first contact with Acme through the secure network itself. As represented by numerals 220, 221 and 223, the software downloaded to devices 205/214, will establish a unique ID for those devices, a shared secret key, and appropriate communication protocols for recognizing different communication types (e.g., PSK exchange avatar, federated credentials, private information) and for appropriately encrypting/decrypting and otherwise handling information routed through the secure network. Once again, the software can be in the form of instructions stored on non-transitory machine-readable media, where those instructions, when executed, cause one or more processors of the device to operate in the manner of a special purpose machine.
Reflecting on the structures and relationships depicted by
As indicated by an optional process block 307, a new client can be directed as part of a web transaction to a site for the secure network. The client machine can be directed to this by scanning a 2D bar code representing a URL or can otherwise be directed to the site via receipt of an email invitation or web page redirection. Per numeral 309, the new client (e.g., end-user) then downloads registers for use of the network providing information such as name, email address and other data. The client then downloads (311) client transaction module software which, as mentioned, will configure the client device to perform the cryptographic, avatar generation and other communication functions referenced herein, e.g., by installing specific software modules for each of these purposes; in one embodiment, this software can be embodied as an app. suitable for download onto a smart phone, pad device, computer, digital television, disk player or other device. This software optionally, as part of a setup process, calls upon the new client to register his or her unique ID, 317 (this can also optionally be performed by a separate process, before the new client is permitted to download the client transaction module software). Per numerals 313 and 315, the network can as necessary establish and configure various domain servers as appropriate, e.g., to increase bandwidth, establish secure servers in closer proximity to the new client, invite an organization or employer associated with the new client to join the secure network, and so forth; as appropriate, any newly added server can be invited to download node software that will perform various server-level functions discussed herein, for example, retrieving or receiving updated maps of the secure network, locally establishing a key data base and database of registration information for supported clients, performing header inspection and associated routing functions, and so forth. Each newly enrolled device, per numeral 317, is associated with a unique ID, either for the device or the user; as implied, in one embodiment, such an ID can be shared across devices—for example, “Bob” might choose to enroll his smart phone as well as his laptop device as respective registered devices. Each of these might be associated with Bob's unique ID (e.g., “bob@example.com”), such that transactions can be routed in a manner where the shared key specific to each device can be used to decode communications at the Bob's domain (in such an implementation, software for Bob's domain might cause that node in sequence attempt to use each shared key associated with “bob@example.com” to detect if there is a match). Other configurations are also possible; for example, software logic can be designed such that communications associated with “bob@example.com” can be directed to multiple nodes, e.g., Bob can have respective devices that connect to the secure network through different nodes, or respective sets of nodes. Note that as depicted by numeral 319, processes are used to establish cryptographic functions on each device, e.g., using PKI and/or a hardware key specific to each device to install the shared secret key. Per numeral 321, a key exchange protocol such as Diffie-Hellman or an equivalent can be used as part of this process. Once the client device has installed the base software functionality, the client (if this has not already been done, e.g., in association with another device of the same user) can be requested to enroll (323) any additional federated credentials in a manner linked to the user's account, for example, credit card numbers, social security numbers, account numbers, and so forth, in a manner associated with the user's account. In one embodiment, these can be stored at the hub's credentials database in an encrypted manner, e.g., such that a hash can be used to detect correspondence between federated credentials (transmitted through the secure network as part of the authentication loop), and such that the hub does not store credentials in a manner that can be easily hacked or otherwise discovered. Per numeral 325, an optional waiting period, security check, authentication or other function can be used to verify credentials before they are available for use with the new client (e.g., with “Bob”) as part of the loop based authentication flow. For example, the federated hub can perform a credit check, process a test transaction, require secondary authentication factors, or take other actions to verify that the each enrolled credential truly belongs to “Bob.” Once enrolled, Bob's unique ID (e.g., “bob@example.com”) and potentially other information will be used to verify that someone claiming to be Bob is truly the owner of the enrolled credentials; for example, as introduced previously, during loop-based authentication flow, the hub or another service can inspect headers and verify that a credit card number matching “Bob's” credit card is cited exclusively by a communication involving Bob's unique ID (e.g., “bob@example.com”). If this correspondence is not confirmed, the communication can be dropped, rejected, reported, or other action can be taken. For example, if a communication from “paul@12345.au” is submitting Bob's credit card number: a fraud message can be sent to Bob, Acme and or others, and the transaction can be rejected (e.g., the prohibits decoding of the fraudulently claimed federated credential, drops the message, or sends a directive to Acme, such that Acme will never receive or process a wrongfully associated federated credential); Acme's web page or other transaction processing equipment can be caused to reject the transaction; the hub can black list the nefarious source (e.g., the hub or a third party can immediately revoke all registrations of “paul@12345au” within the trusted network and prohibit registration of that address, can disallow future registration of any email-addresses that are associated with or similar to “paul@12345au” or can ban use in the trusted network of credentials such as SSN, CCNs, state-DL #, bank accounts, associated with the nefarious source); or other actions can be taken. As noted by numerals 326 and 327, each device, once enrolled, has a secret symmetric (shared) key with one or more connection nodes to the secure network, optionally, stored or otherwise processed using secure, protected hardware of the device such as a secure container, secure memory, secure partition, or other resource; this resource preferably locks the shared key (once installed) against external inspection, e.g., once installed, the key may be used to process data and encrypt that data (e.g., to generate a PSK) but the key may not be read or discovered outside of such a container. Preferably also, the transaction module or other installed software module possesses code to wipe and install a new shared key, for example, on a periodic basis, or responsive to remote command (e.g., from the hub), thus providing one possible mechanism for revoking or resetting a device's network connection in the event of device or key compromise.
The various exchange protocols and use models already introduced will now be discussed in greater detail with reference to
As denoted by numeral 503 in
The originating device first generates an avatar (505) which it then will share with the destination device according to the principles discussed herein. First, software (219) operating on Bob's device (218) generates some private information “A” that it will use to generate a key shared only by the originating and destination devices; “A” for example can be a function of the secret shared key stored on the originating device (and shared with its connection point to the secure network) and some randomizing information, for example, a challenge selected by Bob, Bob's identity, a destination URL or IP address, a session ID, field ID, a time stamp, or similar information (506). Much of this information will also be generated and used in header information to be send in connection with a transmitted avatar, for example, in a manner that can be used to route the avatar through the secure network in an appropriate manner and then by the destination device to appropriately match returned information with its proper session and associated field. In one embodiment, this randomizing information is selected in a manner where it will always be different (e.g., an instantaneous time stamp is chosen) and in other embodiments, this does not have to be the case. A key generation module uses this information to produce a value having a high degree of entropy based on these various values; by high entropy, it is meant that even a slight change in any of the input values will lead to a widely varying output, i.e., it is computationally infeasible to reverse engineer the secret shared key stored on Bob's device (218) even given knowledge of the output information and the randomizing information. In one embodiment, the information “A” can be generated by using Bob's shared key as a primary value, by prepending a seed value or an initial value, and by then performing a CRC-division of the aggregated value, and encrypting a remainder. See generally U.S. patent application Ser. No. 14/831,070, referred to previously. In another embodiment, these or other techniques are used to generate a unique value, which is then applied to a generator function to compute GA, to generate the information that will be avatarized and set to Acme. Note once again that, herein, references to logarithmic key exchange protocols (e.g., A, B, GA, GB, GAB, GBA) should be understood as applying equally to any other key exchange protocol, e.g., based on elliptic curve cryptography or other methodologies. Once GA has been identified, it is then encrypted using the shared secret key on the originating device to generate the avatar (508). Since this avatar has been encrypted using the shared secret key stored on the originating device, and since that key is known only to the originating device and its domain, only these two entities can decode the avatar. The originating device then sends the avatar with appropriate headers to the destination device as two avatar packets (509); the first avatar packet is a function of the encrypted secret piece of information (GA) and the second avatar packet is a function of an encrypted security challenge entered by Bob or chosen transparently by Bob's device. The use of these two packets will be explained below. As denoted by numeral 510, in one embodiment, all of this processing is optionally effectuated using a single mouse click or a single tap or swipe on a smartphone touch-screen. For example, the transaction module (represented by numeral 219) on Bob's smart phone detects that Acme's site is one that accepts avatars, it prompts Bob to enter a secure challenge or otherwise approve use of the avatar function, and upon acceptance, it automatically generates the avatar (i.e., the avatar packet(s)) using the functions represented by box 505). Once generated, this information is sent to the destination device via an untrusted connection, once again represented as the cloud or Internet 417.
Functions performed by the destination device in receiving and rerouting received packets are represented generally by numeral 513. The destination device is represented in
This information is then routed back to the domain for the originating device for processing, as has been previously discussed. For every relay of this information, a node or level in the secure network (a) decodes the received information according to the shared secret key for the prior hop, and (b) re-encodes that information using the shared secret key for communications with the next hop, per numeral 525. This information is then forwarded to the next level (e.g., toward the hub in a system having a hub, for routing to Bob's domain), per numeral 524. This processing is repeated for each trusted network connection (e.g., for each of dashed-line ellipses 403-411 from
In the depicted embodiment, header information for the avatar is used to route information from Acme through the secure network to the hub, and the hub, then routes the forwarded information through the network nodes toward Bob's domain. This structure permits the hub to manage communications flowing through the secure network, potentially at the expense of availability; for example, if a particular node is offline, communications through the secure network can be impacted absent presence of an alternate path. For this reason, some designers might wish to permit a structure where network nodes can directly address each other (e.g., a web architecture) where, for example (see
Returning to
Note that it was earlier referenced that the originating device, in communicating with Acme's site, can generate two avatar packets. Per numeral 538, both of these are received by Bob's domain and each of these prompt a return through the secure network to the destination device (i.e., to Acme). The first packet is processed and results in a return packet to Acme that carries de-avatarized GA, while the second packet is used (i.e., based on the header information it encloses) to return the doubly-encrypted PSK. As denoted by numeral 545, the originating device (Acme) receives the first packet and recovers GA using its shared key with its connection point to the secure network; since this node also possesses unshared information B, it can compute GAB, which is identical to the information computed by Bob's device; when the second packet is received, its enclosed information is doubly-decrypted, first using the key shared used by the destination device for its trusted connection to the secure network, and then using GAB to recover the private session key (PSK). The PSK is then known only to the originating and destination devices (i.e., Bob's smart phone and Acme's POS terminal or server in this example), and can be used for exchanges of private information.
Processing by the destination device is represented by numeral 513. As before, Acme cannot decode the received avatar, e.g., “msg1” (514), though it does further encrypt this message using its trusted connection shared key (keyAcme) to form a second message (“msg2”). Using received headers, it then routes this information to the secure network, per numerals 516, 517 and 558. This information is then relayed hop-by-hop through the secure network, just as before, back to the domain node for Bob's device (218). Each node along this path decodes the received information using the secret key used for the incoming hop path, and re-encodes the received information using the secret key for the outgoing hop path, at all times exclusively using the trusted connections (see dashed line ellipses in
Returning to
Assuming the federated credential is authentic, it is eventually forwarded to and decoded by Acme using keyAcme, and then can be subject to legacy processing. For example, Acme might be required to perform payment clearance by submitting a corresponding credit card number, CCV, card expiration date (and similar information) to a credit card company to effectuate transaction completion, and Acme therefore might acquire each of these pieces of information to satisfy legacy credit card clearance processes.
Note that while two field types are indicated by
Having thus described system flow, this disclosure will now proceed to describe the structure of software (instructional logic) to perform various tasks in association with the flow represented by
As indicated,
More particularly, when and as an originating device is actuated to download a web page or receive an external input, a plugin installed by this software (e.g., as a web browser extension or operating system service) causes a processor of client device (e.g., Bob's smart phone) to recognize sites that suitable for use of the avatar system. This recognition can be accomplished in a number of ways, but as indicated by numeral 702, one optional way this can be done is by presenting a 2-D bar code (QR code) that Bob images with his smart phone's camera, and that then triggers an executable on Bob's smart phone to (a) automatically identify Acme, e.g., as a vendor, and a destination IP at Acme for transactions, (b) identify an item being purchased, and (c) invoke the avatar system to automatically and transparently to engage Acme's transaction server using the avatar system. For example, scanning such a code can cause Bob's smart phone to immediately tally one or more items for purchase, receive via the Internet (or Bluetooth connection) a web-form to be completed for purchases, automatically (internally to Bob's device) populate the form with a credit card number and other transaction information (e.g., Bob's statement address, email address and so forth), display a confirmation screen on Bob's smart phone to confirm purchase, and responsively transmit avatar packets to Acme's site; the software then transmits avatar packets to (a) establish handshake and a shared PSK with Acme's transaction server, and (b) for each given field in Acme's form, exchange one or more avatar packets respective to the given field. The software on Bob's phone encrypts the information as appropriate (in order to safeguard the information transmitted, e.g., over the unsecured Internet or a Bluetooth connection), it receives a forwarded challenge which verifies that Acme is a member of the secure network, and it then exchanges information via the secure network in response to each avatar. As noted above, a hub can provide services of monitoring communication, detecting fraud, validating authenticity of the party presenting credentials, and other related functions. When Bob checks out of Acme's store, Bob's software can receive and display a receipt and confirmation on his cell phone (or a bar code scanned by Acme at checkout) that confirms purchase and/or prints a receipt. This example provides but one model that can be used to provide for an automated purchase, and clearly many other models are available. As an alternative, Bob's software could simply relay on a browser plugin to recognize sensitive fields, in much the same way as is done today to selectively detect and encrypt field-specific information sent today via the Internet. Other examples will also be apparent to those skilled the art.
In
Dashed line 713 represents a visual partition between functions performed by the originating device in creating avatars (above the dashed line 713) and in responding to forwarded information from Acme (below the dashed line 713). For example, after sending avatars, Bob's device will receive a message from Bob's domain encrypted using the secret key that Bob shares with his domain. Bob's device decodes this message to receive Bob's original challenge phrase, authenticating that the inbound communication was in fact prompted by Bob and represents Acme's relay of information through the secure network (714). Verification of this challenge phrase (716) causes Bob's domain to return a decoded GA back to Acme. At the same time, Bob's domain forwards information from Acme (i.e., representing GB) to Bob's device, which is similarly decrypted to recover GB (717), recognize from headers that this information is to be combined with the information (A) generated by Bob's device, and cryptographically compute GAB (718). The software on Bob's device then selects the PSK according to any desired protocol (e.g., typically having a long key length, e.g., 2 k bits plus), and it encrypts this information with GAB (719) and sends it to Bob's domain for forwarding to Acme via the secure network loop path (720). Note that for ensuing exchanges of private information and submission of federated credentials, decoding is performed by Bob's domain and need not directly involve Bob; thus, ostensibly, the software on Bob's device need not take further action other than transmitting avatars to the destination device once a PSK has been exchanged, as represented by a termination function 715. Per numeral 721, processing or transaction consummation can thereafter be performed by Acme. As referenced previously, if an avatar represents erroneous information (e.g., Bob mistypes a field), this can be relayed to Bob's software from the destination device directly through the unsecured connection and displayed on a display screen of Bob's device (722). As discussed earlier, and also underscored by reference numeral 723, in one embodiment, private information exchange is optionally fulfilled using double-avatarization.
As with each participating device, a setup module (not referenced in
An avatar processing module of the software receives incoming avatar transmissions (728) and parses header information (729) to establish sessions with each individual originating device, add pertinent header or other information, and forward avatars (and track forwarded avatars sent to) the secure network. If an inbound avatar packet indicates that it is of a type that is attempting to generate a PSK, the avatar processing module causes one or more processors of the destination device to generate secret information (B) that will result in information (GB) added to the avatar packet (730) as it is relayed to the secure network; as noted previously, although a logarithmic notation is used here, alluding to Diffie-Hellman key exchange, any appropriate (secret) symmetric key sharing process can be used. For all inbound avatars (whether or not PSK generation information is added), an encryption module of the software encrypts these avatars using the secret key shared by the destination device and its secure network parent (733) and forwards this encrypted information to the secure network via the trusted connection of the destination device. As with the participating devices discussed above, in one embodiment, the software uses protected memory or other hardware, or otherwise establishes the encryption process in a manner resilient to hacking of the shared secret key of the destination device, e.g., such that the shared secret key cannot be externally accessed.
Dashed lines 737 and 740, and the region there between, denote actions that can be taken by the secure network, i.e., the destination device forwards avatars and then for each of (n+2) avatars, awaits return of information from the network. More specifically, the domain of the destination device routes forwarded avatars toward the hub, or otherwise to the domain of the originating device of the avatars, and the network provides returns of information (including any validation of federated credentials, as appropriate) (738); per numeral 739, the domain of the destination device returns de-avatarized information representing validated federated credentials. As noted above, this returned information can optionally be accompanied a signature (hash) or other validation stamp applied by the hub or validation service, e.g., encrypted according to a private key of the service and verified using a public key of the service to confirm authenticity of the signature.
The destination device, upon obtaining returns of information, then engages in a number of operations (i.e., below line 740) depending on the type of avatar packet being processed. Note that, as appropriate, the avatar processing module of the destination device can clear a queue corresponding to avatars in flight for information that has been returned for the specific session and also selects the pertinent PSK for the individual session (if multiple transactions or sessions are being processed in parallel). If the particular avatar being processed relates to PSK generation, then pursuant to function blocks 741, 742 and 743, a first returned avatar packet is decrypted according to the shared key of the destination device (keyAcme) to obtain recovered GA, and is then used to calculate GAB, as has been previously described. Per numeral 744, the software then looks for the second avatar packet which it similarly decrypts using the shared secret key of the destination device (745) to receive the de-avatarized (but still encrypted) PSK, which it then decodes using GAB; the destination device is then in possession of the PSK, which it can apply (per path 747) to the decryption of ensuing avatar packets corresponding to the same (e.g., tracked) session. The destination device then receives at least one packet of returned information for each field for which a user such as Bob decides to supply values (e.g., an erroneous entry by Bob can potentially result in receive of multiple avatars for a given web form field), which it decodes, once again, according to the secret key used by the destination device for its trusted connection to the secure network (748). Per numeral 749, private information will still be singly-encrypted and need to be decrypted using the PSK to obtain the information shared of the originating device, and per numeral 750, credentials are not so encrypted. The destination device then stores the decoded information to memory in association with the pertinent web for field for the pertinent transaction, and then performs legacy processing (751); as noted, the software destination device is advantageously structured so as to manage multiple sessions concurrently and to sort information for interleaved avatars from different originating devices to the proper field and proper session, dependent on header information returned with the packet. Also note that if Acme is to store any of Bob's federated or private credentials, it might be desired best to mask the field of display completely or at least its major parts; for example, a credit-card number “0123-4567-8888-9999” might be masked as “****-****-****-**99.” This precautionary measure can help mitigate breach-exploit attacks that attempt to expose finite-sized identity text fields in a web form; furthermore, if desired, high entropy padding methods employing a format-preserving encryption (“FPE”) cipher can also be used to deter breach (e.g., such that Acme for example stores only encrypted fields). Other measures can also be optionally employed.
Once again, two dashed lines, 761 and 762, demark processing performed elsewhere in the network; the ensuing one or more nodes route the forwarded avatar (and other pertinent information, e.g., GB) to the originating client to recover avatarized information, which is then returned by the network, with any credentials validation service appropriate performed by the hub or a third party validation service (763/764). As denoted below dashed line 762, once node y receives this return of information (e.g., per numeral 765 from node z), the communications module passes the information to the encryption module which decrypts (766) the information according to the proper shared secret key and then re-encodes that information (767) for transmission to node x. The communications module then routes this encrypted information back to node x, as appropriate (768). Note that the described methodology applies for most any node in the secure network, e.g., node x can represent the destination device of Acme, while node z can represent the hub or the domain of the originating device. Also note that while the use of a reciprocal path is represented by this FIG. (e.g., a return of information from Bob's domain is illustrated as traversing the same path used to forward the avatar, but in reverse), this is not required for all embodiments, e.g., in one embodiment, the return of information is allowed to take a different path than the avatar from the destination device.
Software processing of communications at the hub, in one embodiment, is referenced by numeral 783 of
In processing communications, per number 784, the hub receives a packet from a level 1 node in the secure network (see
At the domain for the originating device, as mentioned, processing is performed as depicted between dashed lines 790 and 791. That is, for example, Bob's domain decodes a received avatar using the key shared with Bob's device, and it returns a de-avatarized but still encoded secret value GA, a federated credential, or singly-avatarized private information, as described previously (792). On this return of information, the hub then performs processing as depicted between dashed lines 791 and 793. For example, it receives a return of information from node b and decodes that information according to the pertinent key (794). As part of examining headers for the returned information, the communications module causes the hub to determine whether the returned information is a federated credential; if the returned information does represent a federated credential, then a test is performed (795) to determine whether the federated credential is being used by an entity associated with that federated credential; as indicated, in one embodiment, this test can be performed simply by determining whether the credential is represented in a credentials database managed by the hub (or validation service), for example, in reference to credentials database 229 from
As indicated below dashed line 793, once return information has been forwarded by the hub, it is processed as has been described previously, that is, the network routes the information to Acme (798) which then proceeds with a transaction or other processing, as represented by numeral 799.
Note that the various software functions described with reference to
Also, while the software can be configured as various alternate download packages (e.g., one for browsing, such as on “Bob's smart phone” or “Bob's laptop,” and another package for merchants (e.g., Acme's network)), it is possible to have one omnibus software package that installs itself as appropriate to the installation (e.g., as node software, per the representation of
To prepare the user field (“OpenSesame”) for encryption, the software pads this field as appropriate, in this example, to create a 64-ASCII character field of e.g.,
“OpenSesame100_1InMe23st3gMN4ondeezwpkdV3f0S4U801Atbm1h0_gCgVkZ”
which will then form an operand of the encryption process. By “format preserving,” it is meant that in association with this encryption methodology, the encryption output will represent the same number space as the input and thus also in this example be represented as a 64-character string. By “high entropy,” it is meant that the encryption process is robust in generating outputs which differ widely in value in the encrypted number space, and are capable of producing values distributed throughout the encrypted number space, based on variation in the input values. Note also the padding process can be a combination of applying a high-randomness padding and a key-driven MAC (Message Authentication Code), achieving both heightening of the source entropy and tamper/forgery-resistance. In one embodiment, the encryption process involves a high degree of bit diffusion (857) such that slightly varying inputs (e.g., in a single character) will propagate to difference in many characters of the output, rendering it more difficult to derive either the key or the input text with only knowledge of the output. As represented by numeral 859, in one embodiment, a non-linear substitution step is used, whereby a sequence of input values is mapped on a non-linear basis to a sequence of output tables, e.g., through the use of a lookup table. Per numeral 861, in one embodiment, encryption inputs and outputs are restricted to the ASCII character space (or an even smaller, URL-safe subset) rendering it relatively easy to express input or output values as a URL or text string. Per numeral 863, the input number space and output number space are not restricted to binary values; see the copending U.S. patent application Ser. No. 14/831,070, incorporated herein by reference, for details on exemplary non-binary space, format preserving encryption process. As noted by numeral 865, the encryption process is advantageously a completely reversible process such that, given knowledge of the keys used to perform encryption (e.g., the shared secret key, secondary key, PSK and so forth, as appropriate), it is possible to completely recover the input string from cipher text 851 output by the encryption process. Note that these parameters are general parameters, and any conventional encryption process suitable for use with these parameters may be applied to perform encryption. In one embodiment, AES-256 or a similar encryption protocol is used for encryption, and in another embodiment, another encryption protocol can be used, for example, a permutation-vector-shuffle technique, as descried in U.S. patent application Ser. No. 14/831,070. As seen at the right-hand side of
“3aQDubdtUOP5Vl_w2cO1l64Tlkv9FFWLJNL8W2JsZMnzlVbeWdJLKLQ_dLGDOA”
(855) which will form the avatar payload in this example.
“Nty771pl0q9iYmm314gTww8oEz1137aXvCv_1Tt81fe7Pty09qqF39HpMHr56t8s”
(871). This information is transmitted (873) through the secure network by the destination device, and it arrives at a destination node following each hop where it is decrypted (877) using the shared secret key used to encrypt it, in the illustrated case, the shared secret key used by the destination device (AcmeBank.com's server), 865. Per numeral 875, this node (e.g. a server in the cloud) also is caused to store this key (and other shared keys used for communications) in a protected manner, such as protected memory 875. The decryption process recovers the avatar, i.e., the cipher-text (851) of
“3aQDubdtUOP5Vl_w2cO1l64Tlkv9FFWLJNL8W2JsZMnzlVbeWdJLKLQ_dLGDOA”
(855), but it cannot decode the avatar payload. The node then performs encryption using another shared key and a similar format preserving encryption process, to forward a re-encrypted avatar onto the next node, and so forth.
Ultimately, the avatar payload is received via the secure network at the domain server for the originating digital device, i.e., the domain for Bob's smart phone, and is partially decrypted and returned to the destination device.
As should be apparent, these techniques provide powerful mechanisms for mitigating online fraud and identity theft. Should someone not in possession of Bob's device attempt to use Bob's credentials, the validation service discussed above provide a means for detecting fraudulent usage, e.g., because software run by the validation service detects if a credential is duplicated already in the credentials database (e.g., and/or is already associated with another email address, device, etc.). In the event that Bob loses his smart phone, the validation service can establish means for permitting Bob to revoke his shared secret key, and thus prevent a thief from using the avatar system to process or otherwise validate those credentials. Note that this process does not require Bob to revoke his underlying credentials (e.g., credit card numbers), which can simply be re-registered using a new user ID. Many other techniques and advantages will occur to those of ordinary skill in the art.
In many of the examples above, the model of an instore or online transaction was used, but clearly the described techniques can be applied in a myriad of different situations, for example, to loan applications and other situations involving forms submission or credentials presentation. To cite an illustrative example, the described techniques can be applied to site access entry restriction, e.g., a secure site entry door mounts a QR code, which is then scanned in the manner referenced above by a user's smart phone; that smart phone transmits an avatar to the site security system, which then processes the avatar using the techniques referenced above, decoding the avatar using a trusted network connection and a key shared only with the user's domain server. Upon receiving de-avatarized information matching an electronic security credential assigned to the user, the system unlocks the site security door, optionally capturing a picture of the user as he or she enters the door. An extension of this model can also be used for example to provide boarding passes for airline travel, e.g., via loop-based authentication flow communication with a point-of-departure electronic terminal. As yet another example, it is not necessary for all embodiments that a user transmit avatars electronically; in another application, a user employs the client transaction module software on his or her digital device, which then generates a token which is displayed to the user. The user or a third party then enters that token manually on to a form or electronic keypad. For example, in filling out a loan application, a user can enter a token generated by his or her device, where the token is an electronically generated avatar as described herein, but is manually entered by the user. The token is then later keyed into an electronic system (e.g., by one processing an application, such as a loan application), and the system then de-avatarizes the information as described above; such a methodology helps protect sensitive information (e.g., social security number) from exposure to untrusted individuals, e.g., employees at a bank—the correct, decoded information can be generated electronically, transparently, and the true, decoded value stored in secure computer memory.
The loop-based flow techniques described above directly address some of the root weaknesses in today's retail transaction processing systems, especially including the presence of anonymous parties. Because a secure network, predicated on overlapping trust domains and loop-based decoding and authentication permits verification of identity and association with a federated credential without ambiguity, there are effectively no anonymous parties, which makes it easier to identify and isolate sources of unethical behavior from a systematic perspective. Also, the described techniques also benefit individual users by helping to mitigate against the proliferation of account names and complex passwords, and against the associated typical user response of selecting easy-to-remember, correlated passwords. As noted above, some embodiments permit a user to locally store credentials and private information (e.g., in encrypted form, with client transaction module software optionally encrypting this information as stored) while using it to prepopulate fields in forms or otherwise providing that information for selection; the described techniques provide encrypted information in the form of avatars over untrusted connection, with an independent “loop path” based on overlapping trusted network connections relied upon to decode information and provide decoded information to the intended recipient, in many cases with validation of provided information as associated with the true owner. It is thus less necessary for users to remember a multitude of secure passwords or, for that matter, to require the use of a password in an online transaction; the described network permits authentication of all parties to a transaction, so there is less need for passwords as a secondary authentication factor to restrict for account access. Simply stated, using the loop-based authentication techniques described above achieves the goals of secure password usage without requiring a secure password, because it reliably guarantees that “Bob” is indeed a party to a transaction, because it reliably guarantees that Bob is in fact the owner of a federated credential, and because it uses a process that is resilient to unethical intermediaries.
As noted, the techniques discussed above also help facilitate non-repudiation. That is, repudiation of completed retail transactions typically costs businesses billions of dollars per year. This can happen when a thief makes retail purchases with a stolen credential and the credential's owner denies making the purchase; it can also happen when the credential's owner purchases merchandise and then denies the purchase, i.e., when the owner commits “friendly fraud.” Use of the loop-based techniques presented above help reduce both types of fraud by making it more difficult for thieves to misappropriate the federated credentials of another, and by making it more difficult for a user (e.g., Bob) to deny authenticity of a transaction that was consummated using his phone, his unique ID (e.g., his email address and so forth).
Finally, the described techniques also facilitate denial of system access to notoriously unreliable entities (e.g., entities that have committed fraud or theft in the past). As noted above in connection
The process is generally referenced by numeral 901 in
As denoted by the right side of the FIG., the merchant (Acme) in this example has at least one in store computer or transaction server 912, which is further coupled to an accounts receivable system 913. The computer/server in this example is responsible for serving price and order information to Mary's smart phone, while the accounts receivable system receives a handoff from the computer/server and handles payment confirmation and transaction receipt generation. Note that in some embodiments, the functions can be integrated on a single computer or otherwise handled by a single software package.
As indicated by numeral 915, when Mary's smart phone receives the transaction number, transaction amount and automated payment information, it then transmits this information directly to a payment processor, for example, to Mary's bank 917, to Mary's credit card company 919 or to another processor (e.g., PayPal, Google Wallet, or another service) 921. Such an election (i.e., credit card selection) can be made part of a transaction checkout page which asks the particular entity (e.g., Mary) to confirm purchase and to confirm the initiation of funds transfer and/or payment clearance (923). Whichever payment methodology is selected, as indicated by arrows 925, the pertinent payment processor then effects automated electronic transfer of funds to the merchant (Acme), which causes the accounts receivable system to consummate the transaction and generate a receipt 927; for example, this receipt can be structured to display a bar code or other information at a store's exit to perform inventory check or for other purposes, or to permit the user (Mary) to print out a hard copy itemized receipt at a later time.
Note some of the advantages to the scheme just discussed: First, a user (such as Mary in this example) need never expose his or her credential (e.g., credit card) to a human operator, even to an employee of Acme; second, the user in this example never has to wait in a line, e.g., a transaction can be initiated and consummated purely at the user's convenience, with the user simply displaying an e-generated checkout receipt at the store's exit, to the extent this is required for inventory control purposes; finally, depending on implementation, a payment processor can process and clear transactions without ever needing to transmit decrypted credentials to a third party.
Clearly, the described techniques can be implemented to provide a wide variety of e-commerce or other implementation scenarios; for example applications once again exist for secure site access and other types of transactions, as referenced earlier.
The foregoing description and in the accompanying drawings, specific terminology and drawing symbols have been set forth to provide a thorough understanding of the disclosed embodiments. In some instances, the terminology and symbols may imply specific details that are not required to practice those embodiments. The terms “exemplary” and “embodiment” are used to express an example, not a preference or requirement.
Various modifications and changes may be made to the embodiments presented herein without departing from the broader spirit and scope of the disclosure. Features or aspects of any of the embodiments may be applied, at least where practicable, in combination with any other of the embodiments or in place of counterpart features or aspects thereof. Accordingly, the features of the various embodiments are not intended to be exclusive relative to one another, and the specification and drawings are to be regarded in an illustrative rather than a restrictive sense.
This disclosure is a continuation of U.S. Utility application Ser. No. 15/063,487, filed on Mar. 7, 2016 on behalf of first-named inventor Paul Ying-Fung Wu for “Secure Communications Using Loop-Based Authentication Flow;” in turn, application Ser. No. 15/063,487 claims priority to U.S. Provisional Patent Application Nos. 62/286,335, filed on Jan. 23, 2016 on behalf of first-named inventor Paul Ying-Fung Wu for “Techniques For Secure Exchange Of Credentials And Private Information,” 62/232,043, filed on Sep. 24, 2015 on behalf of first-named inventor Paul Ying-Fung Wu for “Improved Secure Credentials Exchange, Related Methods, Devices & Systems,” 62/272,001, filed on Dec. 28, 2015 on behalf of first-named inventor Paul Ying-Fung Wu for “Techniques For Secure Credentials Exchange,” and 62/256,596, filed on Nov. 17, 2015 on behalf of first-named inventor Paul Ying-Fung Wu for “Improved Secure Credentials Exchange, Related Methods, Devices & Systems.” The aforementioned patent applications are each hereby incorporated by reference, as is U.S. Utility patent application Ser. No. 14/831,070, filed on Aug. 20, 2015 on behalf of first-named inventor Paul Ying-Fung Wu for “Encryption And Decryption Techniques Using Shuffle Function.”
Number | Name | Date | Kind |
---|---|---|---|
5872517 | Hellman | Feb 1999 | A |
7552467 | Lindsay | Jun 2009 | B2 |
8627084 | Pauker et al. | Jan 2014 | B1 |
9178701 | Roth | Nov 2015 | B2 |
9208491 | Spies et al. | Dec 2015 | B2 |
9489521 | Martin et al. | Nov 2016 | B2 |
9635011 | Wu | Apr 2017 | B1 |
10021085 | Wu et al. | Jul 2018 | B1 |
20020123972 | Hodgson et al. | Sep 2002 | A1 |
20030182552 | Tanimoto | Sep 2003 | A1 |
20050147244 | Molovyan et al. | Jul 2005 | A1 |
20060034456 | McGough | Feb 2006 | A1 |
20070233540 | Sirota | Oct 2007 | A1 |
20070234410 | Geller | Oct 2007 | A1 |
20090132813 | Schibuk | May 2009 | A1 |
20110131635 | Schneider | Jun 2011 | A1 |
20130103685 | Preneel et al. | Apr 2013 | A1 |
20130251150 | Chassagne | Sep 2013 | A1 |
20140192809 | Park | Jul 2014 | A1 |
20140304825 | Gianniotis et al. | Oct 2014 | A1 |
20140344164 | Pauker et al. | Nov 2014 | A1 |
20150199684 | Maus | Jul 2015 | A1 |
20160378949 | Fu | Dec 2016 | A1 |
20170310475 | Hu | Oct 2017 | A1 |
Entry |
---|
Yahya et al., “A Shuffle Image-Encryption Algorithm,” Journal of Computer Science 4 (12): 999-1002, 2008 ISSN 1549-3636, 2008 Science Publications, 4 pages. |
“Streamlining Information Protection Through a Data-centric Security Approach,” Hewlett-Packard Company White Paper, www.voltage.com, 2015 Hewlett-Packard Development Company, L.P., 16 pages. |
Notice of Allowance, U.S. Appl. No. 15/461,384, dated Apr. 10, 2018, 20 pages. |
Notice of Allowance and interview summary, U.S. Appl. No. 14/831,070, dated Mar. 15, 2017, 23 pages. |
Wikipedia entry, “Kerberos (procotol),” Aug. 15, 2018, 7 pages. |
Wikipedia entry, “Transport Layer Security,” Aug. 15, 2018, 33 pages. |
Notice of Allowance U.S. Appl. No. 16/004,181, dated May 13, 2019, 17 pages. |
Notice of Allowance U.S. Appl. No. 15/063,487, dated Jul. 9, 2018, 12 pages. |
Number | Date | Country | |
---|---|---|---|
20190260586 A1 | Aug 2019 | US |
Number | Date | Country | |
---|---|---|---|
62286335 | Jan 2016 | US | |
62272001 | Dec 2015 | US | |
62256596 | Nov 2015 | US | |
62232043 | Sep 2015 | US |
Number | Date | Country | |
---|---|---|---|
Parent | 15063487 | Mar 2016 | US |
Child | 16263412 | US |